Summary: NIS+ and LDAP - Single sign on

From: ABENOJA, ROBERT (PBIS) <ra7839_at_sbc.com>
Date: Fri May 16 2003 - 18:12:58 EDT
I want to thank everyone who responded.  Alan Poe,Greg Mani,Dirk the Daring,
Jon Godfrey, Philip Plane, Jason Santos.  I have strung together some of the
responses below.

The overwhelming response was that NIS+ is proprietary and that Sun will not
be supporting this on later releases and will also be end of lifing it.

The majority of the responses indicate that LDAP is the way to go. I have a
minor concern about LDAP not being an "authentication mechanism on it's
own".  I will have to look into this a little further.


On 2003-05-14 16:29:11 -0700, ABENOJA, ROBERT (PBIS) wrote:
> I have be asked to look into a something similar to a one time login

"one time login"? I think you mean "single sign-on". Your words could
also be taken to imply one-time passwords or other challenge-response
mechanisms, but these are nearly orthogonal to the NIS vs. LDAP issue.

> solution that is considered secure.  I am just starting out and the two
that
> come to mind are NIS+ and LDAP.  I have experience with NIS & NIS+ but I
> have never worked with LDAP.  I mainly need this for authentication (login
> access) and authorization (access permissions).  I just found out that
this
> will need to support Linux as well as Solaris Servers and clients.  If
> possible Windows too.

That rules out NIS+. Everybody is going LDAP these days: Sun, Microsoft
(NT5's Active Directory is LDAP-based), Apple, and of course Linux can
use OpenLDAP.

Note that LDAP is only a directory access protocol; it is not by itself
an authentication mechanism. It can use various authentication
mechanisms to control who should have access to which data, and it
can be used to publish authentication information (password hashes,
public keys, etc.) if need be (though you may prefer to keep password
hashes private). You still have to choose one or more authentication
mechanisms, both host-to-host and client-to-host (and host-to-client).
If you plan to integrate Windows, then Kerberos 5 is worth looking into.

> I was wondering if anyone has done any research on this or has actually
> implemented such an environment and can give me their experiences.  I have
a
> feeling that NIS+ is proprietary to a Sun solution.

NIS+ is definitely not as interoperable as LDAP. Even Sun has given
up on NIS+ and tells customers to use LDAP instead.

We haven't migrated to LDAP yet, but it's in our plans.


I researched this topic a couple of months ago.  We have not yet tried any
of
these products, but plan to late this summer or early this fall.  The
products I
found:

Company:  M-Tech
Product:  P-Synch and ID-Synch
Web Site:  http://mtechit.com   http://psynch.com   http:// idsynch.com

Company:  Blockade Systems
Product:  ManageID
Web Site:  http://Blockade.com

Company:  SUN MicroSystems
Product:  Sun ONE Directory Server 5.2
Web Site:
http://wwws.sun.com/software/products/directory-srvr/dir5_2_prerelease.pdf

Company:  Netegrity
Product:  IdentityMinder
Web Site:  http://www.netegrity.com


As I said before, this info is a couple of months old, but hopefully will be
of
some assistance to you.  If you get any info on any other product or info
from
someone who has actually implemented a solution, could you please share it
with
me or post a summary.

Greg Mani
greg.mani@navy.mil


Bob,

I would recommend using OpenLDAP, especially, if you need to bind
Linux, Windows as well as Solaris clients.
Solaies Sun One (iPlanet) Directory Server is Sun proprietary and
requires purchasing license from Sun, and they charge a lot.

Linux and Solaris 9 come with LDAP client capabilities and easy
bindable to an OpenLDAP server. For Windows 2000/XP, you can install
pGina from http://pgina.xpasystems.com and authenticate users against
 the same OpenLDAP server.

Good luck,
Alexei


   Yes, NIS+ is proprietary and Sun is making noises about dropping
support for NIS/NIS+ in future releases, so I suspect its days are
numbered.

   Have you looked at Novell Account Manager? It uses their eDirectory
(formerly Novell Directory Services) to provide authentication and access
control across multiple platforms, including Linux, Solaris and Windoze.
Its also LDAP v3 compliant. www.novell.com

Dirk


NIS+ is a nightmare to administer.  You're right in that it is Sun
proprietary (although I think a partial porting of it has taken place).
With the release of Solaris 9, Sun announce that it was end-of-lifing NIS+
in favor of LDAP/SSL.  I would suggest going in that direction just to save
further headaches down the road.

-jdg



Active Directory from Microsoft looks good for this. However the time I was
involved in trying to make it go we suffered horribly from the NIS layer.
NIS
passwords are seperate from the AD password. You can't change the AD pasword
from the NIS side.

LDAP looks good, and the Windows side can be handled by pGina
http://pgina.xpasystems.com/ 

Solaris and Linux can authenticate against LDAP using PAM.

LDAP seems to be widely supported  by middleware and apps.

-- 
Philip Plane

 would suggest you go down the LDAP route for a few reasons:

1) NIS+ is deprecated and will be removed from a future version of Solaris
(probably Solaris 10 which is due by Q1 2004)
2) LDAP is supported across more platforms natively or through PAM
3) Windows ActiveDirectory uses LDAP, and it is possible to extend the AD
schema to support single sign-on for all LDAP aware systems (including
Linux, Solaris, Apache, etc.)

Good luck!

--
Jason Santos


Thank you,
Bob Abenoja
SBC Operations Engineer - San Ramon CA
Phone Number: 925.806.4782
Pager Number: 925.281.6305
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri May 16 18:12:53 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:11 EST